>Number:         23167
>Category:       bin
>Synopsis:       login(1) s/key prompt does not comply with RFC2289
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 16 05:19:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Dave Huang
>Release:        NetBSD 1.6ZC
>Organization:
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: khym@azeotrope.org |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 27 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++
>Environment:
	
	
System: NetBSD yerfable.azeotrope.org 1.6ZC NetBSD 1.6ZC (YERFABLE) #200: Sat Oct 4 00:54:49 CDT 2003 khym@yerfable.azeotrope.org:/usr2/obj.alpha/sys/arch/alpha/compile/YERFABLE alpha
Architecture: alpha
Machine: alpha
>Description:
	The s/key prompt issued by login(1) looks like this:

Password [otp-md5 94 yerf08320]:

However, RFC2289 says that "...the entire challenge string MUST be
terminated with either a space or a new line."

See bin/14848 <http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=14848>
where ftpd was doing the same thing (ftpd has since been fixed and the
PR closed).

>How-To-Repeat:
	Telnet to a system using s/key OTPs and log in.
>Fix:
Index: login.c
===================================================================
RCS file: /cvsroot/src/usr.bin/login/login.c,v
retrieving revision 1.74
diff -u -r1.74 login.c
--- login.c	2003/08/26 16:48:33	1.74
+++ login.c	2003/10/16 05:16:36
@@ -422,7 +422,7 @@
 			const char *skinfo = skey_keyinfo(username);
 				
 			(void)snprintf(skprompt, sizeof(skprompt)-1,
-			    "Password [%s]:",
+			    "Password [ %s ]:",
 			    skinfo ? skinfo : "error getting challenge");
 			pwprompt = skprompt;
 		} else

>Release-Note:
>Audit-Trail:
>Unformatted: